Re: Can I stop these port 53 detects?

[Phil Wood <cpw () lanl gov>]

You need some pass rules for 53 -> 53.  And you need to fix the
<1024 rule.  It probably has a :1024 in it.  That catches legitimate
dns of the form 1024 -> 53.  Change it to :1023.

On Thu, Jun 21, 2001 at 08:06:09PM +0000, info.sec () att net wrote:
> Greetings,
>
> I hope this isn't in a FAQ somewhere - I couldn't find 
> it.
>
> I'm running Snort 1.7 on an OpenBSD 2.8 system.
> I have a line in my snort.conf file like this:
>
> # Define the addresses of DNS servers and other hosts
> var DNS_SERVERS [aa.bb.cc.dd/32,ee.ff.gg.hh/32]
>
>
> But my alert log still fills up with these:
>
> [**] MISC source port 53 to <1024 [**]
> 06/21-12:55:52.409466 ee.ff.gg.hh:53 -> 1.2.3.4:685
> UDP TTL:246 TOS:0x0 ID:35418 IpLen:20 DgmLen:205 DF
> Len: 185
>
> Where 1.2.3.4 is the outside interface of my firewall.
>
> Is there anything I can do to stop Snort from keying on 
> these port 53 packets from one of our DNS servers?
>
> TIA!
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users